Gather, organize, and share content that interests you.

Loading...

What's Docs.com?

Gather, organize, and share content that interests you.

Loading...

Securing Remote Access Section 17: Securing Administrative Access Each Telnet port on the switch or router is known as a vty. By default, you cannot establish a Telnet connection unless you first set all the vty passwords. That is a good thing, because you do not want just anyone connecting to your switch or router. If there are no vty passwords set, when you try to use Telnet, you will get a “password required ... but none set ...” error message, and your attempt to use Telnet is rejected. Therefore, for Telnet vty ports to accept a Telnet EXEC session, you must set the vty passwords. The line vty 0 4 command, followed by the login and password subcommands, requires login and establishes a login password on incoming Telnet sessions. Virtual terminal (Telnet) password configuration: Switch(config)# line vty 0 4 Switch(config-if)# login Switch(config-if)# password sanjose The login local command can be used to enable password checking on a per­user basis, using the username and password that are specified with the username global configuration command. The username command establishes username authentication with encrypted passwords. By default, there are five vty ports on the switch, allowing five concurrent Telnet sessions. However, some Cisco devices might have more than five logical vty ports. The five total vty ports are numbered from 0 through 4 and are referred to all at once as line vty 0 4 (notice the space between 0 and 4 in the example above). By syntax, this would include the range from 0 to 4, so it includes all five logical vty ports, 0–4. The command exec-timeout prevents users from remaining connected to a vty port when they leave a station. In the following example, when no user input is detected on a vty line for 5 minutes, the vty session is automatically disconnected. Switch(config-if)# exec-timeout 5 Configuring Usernames and SSH Telnet sends all data, including all passwords that are entered by the user, as cleartext. The SSH application provides the same function as Telnet, displaying a terminal emulator window and allowing the user to remotely connect to the CLI of another host. However, SSH encrypts the data that is sent between the SSH client and the SSH server, making SSH the preferred method for remote login to switches and routers today. To configure SSH on Cisco switch or router, you need to complete following steps: Use the hostname command to configure the hostname of the device so that it is not Switch (on a Cisco switch) or Router (on a Cisco router). Configure the DNS domain with the ip domain­name command. Generate RSA keys to be used in authentication with the crypto key generate rsa command. Configure the user credentials to be used for authentication. By specifying the login local command for vty lines, you are essentially telling the network device to use locally defined credentials for authentication. Configure locally defined credentials using the username username password password command. (Optional) You can also limit access to a device to users that use SSH and block Telnet with the vty mode command transport input ssh. If you want to support login banners and enhanced security encryption algorithms, force SSH version 2 on your device with the command ssh version 2 in global configuration mode. To allow Telnet to be supported in addition to SSH, use the transport input telnet ssh command. The following example shows the same switch commands entered in configuration mode: R1# R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# line vty 0 15 ! Step 1’s command happens next R1(config-line)#login local ! Step 2’s command happens next R1(config-line)#transport input telnet ssh R1(config-line)#exit ! Step 3’s command happens next R1(config)#username joy password hope ! Step 4’s command happens next R1(config)#ip domain-name example.com ! Step 5’s command happens next R1(config)#crypto key generate rsa The name for the keys will be: R1.example.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys ...[OK] 00:03:58: %SSH-5-ENABLED: SSH 1.99 has been enabled R1(config)#^Z ! Next, the contents of the public key are listed; the key will be needed by the SSH client. R1#show crypto key mypubkey rsa % Key pair was generated at: 00:03:58 UTC Mar 1 1993 Key name: R1.example.com Usage: General Purpose Key Key is not exportable. Key Data: 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00DB43DC 49C258FA 8E0B8EB2 0A6C8888 A00D29CE EAEE615B 456B68FD 491A9B63 B39A4334 86F64E02 1B320256 01941831 7B7304A2 720A57DA FBB3E75A 94517901 7764C332 A3A482B1 DB4F154E A84773B5 5337CE8C B1F5E832 8213EE6B 73B77006 BA8782DE 180966D9 9A6476D7 C9164ECE 1DC752BB 955F5BDE F82BFCB2 A273C58C 8B020301 0001 % Key pair was generated at: 00:04:01 UTC Mar 1 1993 Key name: R1.example.com.server Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00AC339C D4916728 6ACB627E A5EE26A5 00946AF9 E63FF322 A2DB4994 9E37BFDA AB1C503E AAF69FB3 2A22A5F3 0AA94454 B8242D72 A8582E7B 0642CF2B C06E0710 B0A06048 D90CBE9E F0B88179 EC1C5EAC D551109D 69E39160 86C50122 9A37E954 85020301 0001 After you have configured SSH, use the show ip ssh command to verify the version and configuration data for SSH on the device that you configured as an SSH server. In the following example, SSH version 2 is enabled: Switch#show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3 To check the SSH connection to the device, use the show ssh command, as shown here: Switch#show ssh Connection Version Encryption State Username 0 1.5 3DES Session started cisco You can use the built­in SSH client of a device to connect to other SSH servers. The privileged mode command is ssh. Here, you see the available options that can be used with SSH: Switch#ssh ? -c Select encryption algorithm -l Log in using this user name -m Select HMAC algorithmexit -p Connect to this port -v Specify SSH Protocol Version -vrf Specify vrf name WORD IP address or hostname of a remote system Up Next: Securing Access to Privileged EXEC Mode To configure SSH on Cisco switch or router, you need to complete following steps: Use the hostname command to configure the hostname of the device so that it is not Switch (on a Cisco switch) or Router (on a Cisco router). Configure the DNS domain with the ip domain­name command. Generate RSA keys to be used in authentication with the crypto key generate rsa command. Configure the user credentials to be used for authentication. By specifying the login local command for vty lines, you are essentially telling the network device to use locally defined credentials for authentication. Configure locally defined credentials using the username username password password command. (Optional) You can also limit access to a device to users that use SSH and block Telnet with the vty mode command transport input ssh. If you want to support login banners and enhanced security encryption algorithms, force SSH version 2 on your device with the command ssh version 2 in global configuration mode. To allow Telnet to be supported in addition to SSH, use the transport input telnet ssh command. The following example shows the same switch commands entered in configuration mode: R1# R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# line vty 0 15 ! Step 1’s command happens next R1(config-line)#login local ! Step 2’s command happens next R1(config-line)#transport input telnet ssh R1(config-line)#exit ! Step 3’s command happens next R1(config)#username joy password hope ! Step 4’s command happens next R1(config)#ip domain-name example.com ! Step 5’s command happens next R1(config)#crypto key generate rsa The name for the keys will be: R1.example.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Ke